Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCSP-39361 - OIDC #895

Merged
merged 6 commits into from
Jun 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions source/fundamentals/authentication.txt
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Enterprise Edition which includes:

- ``Kerberos (GSSAPI/SSPI)``
- ``LDAP (PLAIN)``
- ``MONGODB-OIDC``

.. note::
For instructions on MongoDB driver installation and deployment setup, see
Expand Down
215 changes: 214 additions & 1 deletion source/fundamentals/authentication/enterprise-mechanisms.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,16 @@ Enterprise Authentication Mechanisms
:depth: 1
:class: singlecol

.. facet::
:name: genre
:values: reference

.. meta::
:keywords: ldap, encryption, principal, tls

In this guide, you can find sample code for connection to MongoDB with each
authentication mechanism available in the MongoDB Enterprise Edition:
``Kerberos (GSSAPI/SSPI)`` and ``LDAP (PLAIN)``.
``Kerberos (GSSAPI/SSPI)``, ``LDAP (PLAIN)``, and ``MONGODB-OIDC``.

``Kerberos (GSSAPI/SSPI)``
--------------------------
Expand Down Expand Up @@ -138,3 +145,209 @@ in the following sample code.
The authentication mechanism is named ``PLAIN`` instead of ``LDAP`` since it
authenticates using the `PLAIN Simple Authentication and Security Layer
(SASL) defined in RFC-4616 <https://tools.ietf.org/html/rfc4616>`_.

MONGODB-OIDC
------------

.. important::

The MONGODB-OIDC authentication mechanism requires {+mdb-server+} v7.0 or later running
on a Linux platform.

The following sections describe how to use the MONGODB-OIDC authentication mechanism to
authenticate from various platforms.

For more information about the MONGODB-OIDC authentication mechanism, see
:manual:`OpenID Connect Authentication </core/security-oidc/>` and
:manual:`MongoDB Server Parameters </reference/parameters/#mongodb-parameter-param.oidcIdentityProviders>`
in the {+mdb-server+} manual.

.. _node-mongodb-oidc-azure-imds:

Azure IMDS
~~~~~~~~~~

If your application runs on an Azure VM, or otherwise uses the
`Azure Instance Metadata Service <https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service>`__
(IMDS), you can authenticate to MongoDB by using the {+driver-short+}'s built-in Azure
support.

To specify Azure IMDS OIDC as the authentication mechanism, set the following options
in your connection string:

- ``username``: If you're using an Azure managed identity, set this to the client ID
of the managed identity. If you're using a service principal to represent an
enterprise application, set this to the application ID of the service principal.
Otherwise, omit this option.
- ``authMechanism``: Set to ``MONGODB-OIDC``.
- ``authMechanismProperties``: Set to
``ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>``.
Replace the ``<audience>`` placeholder with the
value of the ``audience`` parameter configured on your MongoDB deployment.

The following code example shows how to set the preceding connection options:

.. code-block:: js
:emphasize-lines: 3-4

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<username>@<hostname>:<port>/?authMechanism=MONGODB-OIDC"
+ "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

.. _node-mongodb-oidc-gcp-imds:

GCP IMDS
~~~~~~~~

If your application runs on a Google Compute Engine VM, or otherwise uses the
`GCP Instance Metadata Service <https://cloud.google.com/compute/docs/metadata/querying-metadata>`__,
you can authenticate to MongoDB by using the {+driver-short+}'s built-in GCP
support.

To specify GCP IMDS OIDC as the authentication mechanism, set the following options
in your connection string:

- ``authMechanism``: Set to ``MONGODB-OIDC``.
- ``authMechanismProperties``: Set to
``ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>``.
Replace the ``<audience>`` placeholder with the
value of the ``audience`` parameter configured on your MongoDB deployment.

The following code example shows how to set the preceding connection options:

.. code-block:: js
:emphasize-lines: 3-4

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC"
+ "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

Custom Callback
~~~~~~~~~~~~~~~

The {+driver-short+} doesn't offer built-in support for all platforms, including
Azure Functions and Azure Kubernetes Service (AKS). Instead, you
must define a custom callback to use OIDC to authenticate from these platforms.

First, define a function that retrieves the access token to use for OIDC authentication.
This function must have the following signature:

.. code-block:: js

const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => { }

The ``OIDCCallbackParams`` parameter contains the following properties, which you can
access inside the function:

.. list-table::
:header-rows: 1

* - Property
- Value
* - ``timeoutContext``
- An ``AbortSignal`` that aborts the authentication workflow after 30 seconds
* - ``version``
- The current OIDC API version
* - ``idpInfo``
- The identity-provider information returned from the server
* - ``username``
- The username included in the connection string, if any
* - ``refreshToken``
- The refresh token to request a new access token from the issuer, if any

The callback function must return an ``OIDCResponse`` object. This object contains the
following properties:

.. list-table::
:header-rows: 1

* - Property
- Value
* - ``accessToken``
- The access token to use for authentication.
* - ``expiresInSeconds``
- *Optional.* The number of seconds until the access token expires.
* - ``refreshToken``
- *Optional.* The refresh token to request a new access token from the issuer.

The following example shows a callback function that retrieves an OIDC access token
from a file named ``access-token.dat`` in the local file system:

.. code-block:: js

const fs = require("node:fs");

const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => {
const token = fs.readFileSync("access-token.dat", "utf8");

return {
accessToken: token,
expiresInSeconds: 300,
refreshToken: token
};
}

After you define your callback function, pass it to the ``MongoClient`` constructor
as part of the ``authMechanismProperties`` parameter. The {+driver-short+} supports
the following authentication patterns:

- **Machine authentication:** Used by web services and other applications that require
no human interaction. Select the :guilabel:`Machine Callback` tab to see an example of
this syntax.
- **Human authentication:** Used by database tools, command-line utilities, and other
applications that involve direct human interaction. Select the :guilabel:`Human Callback`
tab to see an example of this syntax.

.. tabs::

.. tab:: Machine Callback
:tabid: machine-callback

For machine authentication, assign the callback function to the
``authMechanismProperties.OIDC_CALLBACK`` property, as shown in the following
example:

.. code-block:: js
:emphasize-lines: 4-7

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
authMechanismProperties: {
OIDC_CALLBACK: myCallback
}
});

.. tab:: Human Callback
:tabid: human-callback

For human authentication, assign the callback function to the
``authMechanismProperties.OIDC_HUMAN_CALLBACK`` property, as shown in the following
example:

.. code-block:: js
:emphasize-lines: 4-7

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
authMechanismProperties: {
OIDC_HUMAN_CALLBACK: myCallback
}
});

API Documentation
-----------------

To learn more about the methods and types discussed in this
guide, see the following API documentation:

- `MongoClient <{+api+}/classes/MongoClient.html>`__
- `OIDCCallbackParams <{+api+}/interfaces/OIDCCallbackParams.html>`__
- `OIDCResponse <{+api+}/interfaces/OIDCResponse.html>`__
Loading